User profile for user: Gaz.Tech
Gaz.Tech Author
User level: Level 1
8 points

Profile Manager not enrolling across VLANs

Hi all,


I have purchased a Mac Mini and set up the server app on it to act as our management platform, I am using AD to authenticate and profile manager for the policies.



My setup procedure:


  1. Created a static IP on our server subnet.
  2. Renamed the box and made sure it showed up in DNS.
  3. Added the Server to the domain.
  4. Set up Server.app
  5. Configured an OD master via server app.
  6. Enabled MDM using our Apple ID.
  7. Set up enroll profiles, also downloaded the trust profile ready to install alongside.

    I have NOT configured any network access rights on profile manager and it is set to all networks.



So far it has been relatively painless, considering before this undertaking the only thing I had done relating to managing macs was setting up Apple Configurator and Meraki to manage iPads at my previous employer.


I have ran into an issue when trying to enroll devices on another VLAN, this process works flawlessly on the same LAN as the server though. Which made me think it was my end of things i.e. firewall or inter lan routing



  1. I have allowed access to tcp 1295 - 1296 in and out from all our VLANs, to the net.
  2. I have allowed access to tcp 5223 in and out from all our VLANs, to the net.
  3. I have allowed access to tcp 1640 in and out from our server VLAN, to the rest of our VLANs.


As documented here.



As soon as the client I am enrolling is not on the same VLAN, the enroll profile fails with a timeout error on the client and the following log entries on the server.



[2644] [2017/03/21 12:27:20.936] I: Processing MagicController#admin_will_load (for 10.250.10.50 at 2017-03-21 12:27:20) [POST]

[2644] [2017/03/21 12:27:21.037] I: auth_token does not exist

[2644] [2017/03/21 12:27:21.038] I: Filter chain halted as [:verify_auth_token] rendered_or_redirected.

[2644] [2017/03/21 12:27:21.038] I: Completed in 101ms (View: 0, DB: 1) | 403 Forbidden https://yc-osx01/magic/admin_will_load

[2645] [2017/03/21 12:27:22.144] I: Processing MagicController#do_magic (for 10.250.10.50 at 2017-03-21 12:27:22) [POST]

[2645] [2017/03/21 12:27:22.259] I: auth_token does not exist

[2645] [2017/03/21 12:27:22.259] I: Filter chain halted as [:verify_auth_token] rendered_or_redirected.

[2645] [2017/03/21 12:27:22.259] I: Completed in 115ms (View: 0, DB: 1) | 403 Forbidden https://yc-osx01/magic/do_magic



Not sure what this means or why being on another network might return a 403 forbidden.



Note that the DNS record in AD is YC-OSX01.my.domain.com, but the HOSTNAME of the server is actually YC-OSX01.local


However if this difference was the issue it would not be functioning on the same LAN either as all our VLANs use the same DNS. Correct?

Mac mini, macOS Sierra (10.12.3)

Posted on Mar 22, 2017 2:59 AM

Reply
2 replies
User profile for user: John Lockwood
John Lockwood
User level: Level 6
13,697 points

Mar 22, 2017 7:31 AM in response to Gaz.Tech

Does the Profile Manager web server login page load successfully on all the VLANs?

Are all the VLANs using the same internal DNS server?

Can all the VLANs ping the YC-OSX01.my.domain.com address?


You should install the Trust Profile before trying to install the Enrolment profile.


All VLANs will need to be able to access the Internet because communications between Profile Manager and clients are negotiated via Apple's APNS - Apple Push Notification Servers. This happens after the client is enrolled so it is not directly the cause of your problem.


I am not sure you have opened all the ports needed, this is Apple's official document listing the ports required by Profile Manager. See Ports used by Profile Manager in macOS Server - Apple Support


This is the related document for the ports used by Apple Push Notifications. See If you aren't getting Apple push notifications - Apple Support


Also Apple Push Notifications cannot be sent via a proxy server and must be allowed through your network and firewall unproxied. The HTTP and HTTPS traffic for Profile Manager can potentially be sent via a proxy server or a reverse proxy server.


I would also have another look at your host name for the Profile Manager server. First do forward and reverse DNS lookups for that server i.e. confirm YC-OSX01.my.domain.com resolves to the correct IP address, and that that IP address reverse resolves back to YC-OSX01.my.domain.com


Then open Server.app on the Profile Manager server, login/connect and then click on name of the server in the top left of the Window. It should now list the Host Name, the Computer Name and the public IP address if reachability worked.


Assuming the DNS tests worked correctly but Server.app is showing the Host Name as YC-OSX01.local you could try using the 'Edit Host Name' to fix this. If it works it should update this to YC-OSX01.my.domain.com


If it still behaves as YC-OSX01.local you could try the following in Terminal.app


sudo scutil --set HostName YC-OSX01.my.domain.com

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Profile Manager not enrolling across VLANs

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up